From f902253a124bd45a5011204ea4f9e6226b12d561 Mon Sep 17 00:00:00 2001 Message-Id: From: Mark Wooding Date: Thu, 10 Jan 2008 21:11:02 +0000 Subject: [PATCH] Web UI nonces are now base64-encoded, and have a shorter key. Organization: Straylight/Edgeware From: Richard Kettlewell --- server/dcgi.c | 25 +++++++++++++++++-------- templates/choose.html | 12 ++++++------ templates/help.html | 4 ++-- templates/new.html | 4 ++-- templates/playing.html | 24 ++++++++++++------------ templates/recent.html | 2 +- templates/search.html | 2 +- templates/topbar.html | 16 ++++++++-------- 8 files changed, 49 insertions(+), 40 deletions(-) diff --git a/server/dcgi.c b/server/dcgi.c index 81b6943..b7a8508 100644 --- a/server/dcgi.c +++ b/server/dcgi.c @@ -57,6 +57,7 @@ #include "url.h" #include "mime.h" #include "sendmail.h" +#include "base64.h" char *login_cookie; @@ -73,15 +74,23 @@ struct entry { const char *display; }; +static const char nonce_base64_table[] = + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-/*"; + static const char *nonce(void) { - static unsigned long count; - char *s; - - byte_xasprintf(&s, "%lx%lx%lx", - (unsigned long)time(0), - (unsigned long)getpid(), - count++); - return s; + static uint32_t count; + + struct ndata { + uint16_t count; + uint16_t pid; + uint32_t when; + } nd; + + nd.count = count++; + nd.pid = (uint32_t)getpid(); + nd.when = (uint32_t)time(0); + return generic_to_base64((void *)&nd, sizeof nd, + nonce_base64_table); } static int compare_entry(const void *a, const void *b) { diff --git a/templates/choose.html b/templates/choose.html index db8c257..e466975 100644 --- a/templates/choose.html +++ b/templates/choose.html @@ -118,7 +118,7 @@ USA @if{@ne{@arg:directory@}{}@}{

@navigate{@arg:directory@}{/@basename@}@:

+ href="@url@?action=choose&directory=@urlquote{@fullname@}@&n=@nonce@">@basename@}@:

}@ @if{@isdirectories@}{ @@ -129,7 +129,7 @@ USA @choose{directories}{

@right{prefs}{@label:choose.prefs@}@ @transform{@file@}{track}{display}@ @if{@eq{@trackstate{@file@}@}{playing}@}{[playing]}@ @if{@eq{@trackstate{@file@}@}{queued}@}{[queued]}@ @@ -162,12 +162,12 @@ USA }@

@right{prefs}{@label:choose.allprefs@}@ - + @label:choose.playall@

diff --git a/templates/help.html b/templates/help.html index 53c6169..135c037 100644 --- a/templates/help.html +++ b/templates/help.html @@ -192,9 +192,9 @@ USA

This screen has two forms: choose, which give + href="@url@?action=choose&n=@nonce@">choose, which give you all the top-level directories at once, and choosealpha, + href="@url@?action=choosealpha&n=@nonce@">choosealpha, which breaks them down by initial letter.

This screen will may not be available if you are not logged in diff --git a/templates/new.html b/templates/new.html index 49746ce..52bac0e 100644 --- a/templates/new.html +++ b/templates/new.html @@ -54,14 +54,14 @@ USA >@part{short}{album}@}@ @right{play}{@part{short}{title}@}{@part{short}{title}@}@ @length@ @right{prefs}{ @label:choose.prefs@ diff --git a/templates/playing.html b/templates/playing.html index b53c2c0..c75a7d6 100644 --- a/templates/playing.html +++ b/templates/playing.html @@ -35,7 +35,7 @@ USA @label:playing.pause@ @@ -44,7 +44,7 @@ USA @label:playing.pause@ @@ -54,7 +54,7 @@ USA @label:playing.random@ @@ -63,7 +63,7 @@ USA @label:playing.random@ @@ -73,7 +73,7 @@ USA @label:playing.playing@ @@ -82,7 +82,7 @@ USA @label:playing.playing@ @@ -157,7 +157,7 @@ USA title="@part{title}@">@part{short}{title}@ @length@ @if{@scratchable@}{@label:playing.scratch@}{@part{short}{title}@ @length@ @if{@removable@}{@label:playing.remove@}{ @label:playing.upall@ @label:playing.up@ }@ @@ -246,13 +246,13 @@ USA @label:playing.downall@ @label:playing.down@ }@ diff --git a/templates/recent.html b/templates/recent.html index c9e1674..9b46d78 100644 --- a/templates/recent.html +++ b/templates/recent.html @@ -61,7 +61,7 @@ USA @length@ @right{prefs}{ @label:choose.prefs@ diff --git a/templates/search.html b/templates/search.html index b534591..ea7a632 100644 --- a/templates/search.html +++ b/templates/search.html @@ -52,7 +52,7 @@ USA @search{title}{

Title: - @part:title@ + @part:title@ @if{@eq{@trackstate{@file@}@}{playing}@}{[playing]}@ @if{@eq{@trackstate{@file@}@}{queued}@}{[queued]}@

diff --git a/templates/topbar.html b/templates/topbar.html index 5c6c515..f7019b1 100644 --- a/templates/topbar.html +++ b/templates/topbar.html @@ -3,29 +3,29 @@ href="@url@" title="@label:sidebar.playingverbose@">@label:sidebar.playing@ @label:sidebar.recent@ @label:sidebar.new@ @right{play}{ @label:sidebar.choose@}{ @label:sidebar.choose@}@ @right{play}{ @label:sidebar.search@}{ @label:sidebar.search@}@ @label:sidebar.login@ @label:sidebar.help@ @label:sidebar.about@

-- [mdw]